Always On VPN before Windows logon (Formally Always On service)

February 28, 2020

Contributed by:
C

The AlwaysOn VPN before Windows logon feature enables a user to establish a machine level VPN tunnel even before a user logs in to a Windows system. The tunnel remains active until the machine shuts down. After the user logs on, the device-level VPN tunnel is taken over by a user-level VPN tunnel. After the user logs off, the user-level tunnel is torn and a device-level tunnel is established. Always On VPN before Windows logon can be configured by using advanced policies only. For details see, Configure Always On VPN before Windows logon.

Always On VPN before Windows logon encompasses the following:

Windows machine can verify the user’s login credential using the corporate active directory (AD) and Windows credentials on the machine are not cached. Also, new corporate AD users are enabled to seamlessly log on to the machine.

Windows machine becomes a part of the corporate intranet even before users log in, allowing IT administrators to access the client machine from the corporate network for debugging purposes.

VPN tunnel for a Windows machine remains connected even when different users log in or log out to the machine.

Points to note:

Citrix Gateway and VPN plug-in must be version 13.0.41.20 and later.

If a client machine does not have internet connectivity, Always On VPN before Windows logon waits for the internet connectivity to become available before establishing the VPN tunnel.

If a client machine is connected to a captive portal network, Always On VPN before Windows logon waits for the user to authenticate to the captive portal. After the user logs in and internet access is enabled, Always On VPN before Windows logon establishes the VPN tunnel.

Depending on the user configuration mode, one of the following statements is displayed on the logon screen.

Citrix Gateway is connected in service mode

Citrix Gateway is connected in user mode

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

You agree to hold this documentation confidential pursuant to the
terms of your Citrix Beta/Tech Preview Agreement.

The development, release and timing of any features or functionality
described in the Preview documentation remains at our sole discretion and are subject to
change without notice or consultation.

The documentation is for informational purposes only and is not a
commitment, promise or legal obligation to deliver any material, code or functionality
and should not be relied upon in making Citrix product purchase decisions.